In areas such as penetration and website performance testing, it’s often easier to keep track of your testing efforts if you have multiple email addresses to work with. More widely - whether it’s for business or personal use - email aliases can make it much easier to keep your inbox organized and help protect against spam and phishing attacks.
If you use Gmail, there’s a simple and often overlooked syntax trick that can give you unlimited Gmail addresses without the hassle of opening multiple accounts. Here’s how it works…
How to create Gmail aliases using the + sign
- When you first sign up for a Gmail account, you choose a username (e.g. johndoe). This username becomes the first part of your email address (firstname.lastname@example.org).
- You can append a plus (+) sign and any combination of characters after your username, but before the @ sign, (e.g. email@example.com). Any emails sent to that address variation will still come to the primary inbox for firstname.lastname@example.org.
- It works because the Google servers do not read the plus sign and anything that comes after it. When someone sends you an email, you’ll be able to see that they’ve used your alias (e.g. the message will show up as being addressed to email@example.com) but it will still land in your primary inbox.
- This feature also works with Google Workspace accounts. So let’s say one of your Workspace email addresses is firstname.lastname@example.org. Emails addressed to email@example.com will go to the same inbox.
Why the Gmail plus trick is more useful than the dot trick
There’s a further way to create Gmail aliases using dots. You can add as many dots as you want between characters before the @ sign (e.g. j.o.h.n.d.o.e.@gmail.com and Gmail will still deliver them to your primary inbox.
However, if you’re using aliases for testing, message tracking and organization purposes, it helps to be able to put in some explanatory text (e.g. firstname.lastname@example.org). Dots alone are harder to work with.
Also, the dot trick only works for email addresses ending in @gmail.com. It doesn’t work on Google Workspace accounts.
Ways to use email aliases
Here’s a few illustrations of how a Gmail alias can be a useful tool…
Take advantage of the same offer twice
Lots of online sellers have a sign-up bonus for new customers (e.g. 10% off your first order if you sign up to their newsletter).
Companies generally have filters in place to stop you from signing up to the same offer twice. However, if you use a Gmail + alias (together with a new username and a different payment method), you may be able to get around these filters.
Check who has your data
Who is this company, and how did they get into my inbox? A Gmail alias can give you answers.
Let’s say you’ve just found a brand that seems to roll out lots of cool discounts to its regular subscribers. You’d like to join their mailing list, but you’re suspicious about what they do with customer data.
You can subscribe to the list using a dedicated alias (e.g. email@example.com). If everything’s in order, then the only emails you’ll receive using that address will be from the company you signed up to.
If other senders are contacting you via that address, then either the original company has given out your details without permission, or else they’ve been hacked, and your data is out in the wild.
Limit the impact of a data breach
Let’s say one of the companies you’re signed up to has had its customer data hacked. This potentially means that your email address and password are on a database that’s available for purchase over the dark web. Typically, criminals will use software to systematically go through the list, using those credentials to attempt to log into particular sites (e.g. banking platforms).
The best way to prevent unlawful access to your accounts is obviously to use unique passwords and multi-factor authentication wherever you can. However, taking a belt and branches approach, if you use aliases for different sites (e.g. firstname.lastname@example.org for banking and email@example.com for social), it makes it that little bit harder for the criminals to mount an automated attack.
Organize your inbox
Using handy suffixes (e.g. +work, +signup, +vacation), you can set up Gmail filters. For instance, you could configure your inbox so that all messages addressed to firstname.lastname@example.org are labelled ‘work’ and sent to a specific folder. It’s a good way of staying organized when you’ve got lots of business and personal stuff all going into the same inbox.
If you are involved in penetration testing, you often need to test multiple levels of access. If you are using the same email address, it is difficult to track your results. Plus sign aliases can give you an infinite number of variations without the hassle of having to create multiple accounts.
These aliases can also be useful when running a social engineering penetration test. For instance, you are told that one of the companies you work for often receives payment requests from a business called xsupplies. So you create an alias (e.g. email@example.com) to see if any messages you create are opened, clicked or have credentials entered by careless employees.
You’re building a website for your new cyber security consulting business. You’ve got an email sign-up button on your homepage, sidebar and contact page. You want to make sure each one is working. You can test it by signing up using a different suffix for each one (+home, +side, +contact etc). If there’s a subscription missing from your list, you can immediately tell which button is broken.
The beauty of this approach is that you get multiple address variations, without having to open lots of different email accounts.
Let me know what ideas you have for using this gmail feature?